alicloud_accountalicloud_action_trailalicloud_cas_certificatealicloud_cms_monitor_hostalicloud_cs_kubernetes_clusteralicloud_cs_kubernetes_cluster_nodealicloud_ecs_auto_provisioning_groupalicloud_ecs_autoscaling_groupalicloud_ecs_diskalicloud_ecs_disk_metric_read_iopsalicloud_ecs_disk_metric_read_iops_dailyalicloud_ecs_disk_metric_read_iops_hourlyalicloud_ecs_disk_metric_write_iopsalicloud_ecs_disk_metric_write_iops_dailyalicloud_ecs_disk_metric_write_iops_hourlyalicloud_ecs_imagealicloud_ecs_instancealicloud_ecs_instance_metric_cpu_utilization_dailyalicloud_ecs_instance_metric_cpu_utilization_hourlyalicloud_ecs_key_pairalicloud_ecs_launch_templatealicloud_ecs_network_interfacealicloud_ecs_regionalicloud_ecs_security_groupalicloud_ecs_snapshotalicloud_ecs_zonealicloud_kms_keyalicloud_kms_secretalicloud_oss_bucketalicloud_ram_access_keyalicloud_ram_credential_reportalicloud_ram_groupalicloud_ram_password_policyalicloud_ram_policyalicloud_ram_rolealicloud_ram_security_preferencealicloud_ram_useralicloud_rds_backupalicloud_rds_databasealicloud_rds_instancealicloud_rds_instance_metric_connectionsalicloud_rds_instance_metric_connections_dailyalicloud_rds_instance_metric_cpu_utilizationalicloud_rds_instance_metric_cpu_utilization_dailyalicloud_rds_instance_metric_cpu_utilization_hourlyalicloud_security_center_field_statisticsalicloud_security_center_versionalicloud_slb_load_balanceralicloud_vpcalicloud_vpc_dhcp_options_setalicloud_vpc_eipalicloud_vpc_flow_logalicloud_vpc_nat_gatewayalicloud_vpc_network_aclalicloud_vpc_route_entryalicloud_vpc_route_tablealicloud_vpc_ssl_vpn_client_certalicloud_vpc_ssl_vpn_serveralicloud_vpc_vpn_connectionalicloud_vpc_vpn_customer_gatewayalicloud_vpc_vpn_gatewayalicloud_vpc_vswitch
Table: alicloud_ram_credential_report
Retrieves a credential report for the Alibaba Cloud account. For more information about the credential report, see Generate and download user credential reports in the RAM Guide.
Please note: This table requires a valid credential report to exist. To generate it, please run the follow Aliyun CLI command:
aliyun ims GenerateCredentialReport --endpoint ims.aliyuncs.com
Examples
List users that have logged into the console in the past 90 days
select user_name, user_last_logonfrom alicloud_ram_credential_reportwhere password_exist and password_active and user_last_logon > (current_date - interval '90' day);
List users that have NOT logged into the console in the past 90 days
select user_name, user_last_logon, age(user_last_logon)from alicloud_ram_credential_reportwhere password_exist and password_active and user_last_logon <= (current_date - interval '90' day)order by user_last_logon;
List users with console access that have never logged in to the console
select user_namefrom alicloud_ram_credential_reportwhere password_exist and user_last_logon is null;
Find access keys older than 90 days
select user_name, access_key_1_last_rotated, age(access_key_1_last_rotated) as access_key_1_age, access_key_2_last_rotated, age(access_key_2_last_rotated) as access_key_2_agefrom alicloud_ram_credential_reportwhere access_key_1_last_rotated <= (current_date - interval '90' day) or access_key_2_last_rotated <= (current_date - interval '90' day)order by user_name;
Find users that have a console password but do not have MFA enabled
select user_name, mfa_active, password_exist, password_activefrom alicloud_ram_credential_reportwhere password_exist and password_active and not mfa_active;
Check if root login has MFA enabled
select user_name, mfa_activefrom alicloud_ram_credential_reportwhere user_name = '<root>';
Query examples
- ram_credential_entities_console_access_with_no_mfa_count
- ram_credential_entities_count
- ram_credential_entities_root_access_keys_table
.inspect alicloud_ram_credential_report
Alicloud RAM Credential Report
Name | Type | Description |
---|---|---|
_ctx | jsonb | Steampipe context in JSON form, e.g. connection_name. |
access_key_1_active | boolean | Indicates whether the user access key is active, or not. |
access_key_1_exist | boolean | Indicates whether the user have access key, or not. |
access_key_1_last_rotated | timestamp with time zone | Specifies the time when the access key has been rotated. |
access_key_1_last_used | timestamp with time zone | Specifies the time when the access key was most recently used to sign an Alicloud API request. |
access_key_2_active | boolean | Indicates whether the user access key is active, or not. |
access_key_2_exist | boolean | Indicates whether the user have access key, or not. |
access_key_2_last_rotated | timestamp with time zone | Specifies the time when the access key has been rotated. |
access_key_2_last_used | timestamp with time zone | Specifies the time when the access key was most recently used to sign an Alicloud API request. |
account_id | text | The Alicloud Account ID in which the resource is located. |
additional_access_key_1_active | boolean | Indicates whether the user access key is active, or not. |
additional_access_key_1_exist | boolean | Indicates whether the user have access key, or not. |
additional_access_key_1_last_rotated | timestamp with time zone | Specifies the time when the access key has been rotated. |
additional_access_key_1_last_used | timestamp with time zone | Specifies the time when the access key was most recently used to sign an Alicloud API request. |
additional_access_key_2_active | boolean | Indicates whether the user access key is active, or not. |
additional_access_key_2_exist | boolean | Indicates whether the user have access key, or not. |
additional_access_key_2_last_rotated | timestamp with time zone | Specifies the time when the access key has been rotated. |
additional_access_key_2_last_used | timestamp with time zone | Specifies the time when the access key was most recently used to sign an Alicloud API request. |
additional_access_key_3_active | boolean | Indicates whether the user access key is active, or not. |
additional_access_key_3_exist | boolean | Indicates whether the user have access key, or not. |
additional_access_key_3_last_rotated | timestamp with time zone | Specifies the time when the access key has been rotated. |
additional_access_key_3_last_used | timestamp with time zone | Specifies the time when the access key was most recently used to sign an Alicloud API request. |
generated_time | timestamp with time zone | Specifies the time when the credential report has been generated. |
mfa_active | boolean | Indicates whether multi-factor authentication (MFA) device has been enabled for the user. |
password_active | boolean | Indicates whether the password is active, or not. |
password_exist | boolean | Indicates whether the user have any password for logging in, or not. |
password_last_changed | timestamp with time zone | Specifies the time when the password has been updated. |
password_next_rotation | timestamp with time zone | Specifies the time when the password will be rotated. |
user_creation_time | timestamp with time zone | Specifies the time when the user is created. |
user_last_logon | timestamp with time zone | Specifies the time when the user last logged in to the console. |
user_name | text | The email of the RAM user. |